DoS Attacks That Can Crash Web Servers With Ease

A researcher has disclosed a new denial-of-service (DoS) attack method that he claims could pose a severe threat, greater than Rapid Reset, the vulnerability exploited last year to launch the largest known DDoS attacks. The research has found that the CONTINUATION frame in the HTTP/2 protocol can be used to carry out Denial-of-Service (DoS) attacks.

The new DoS attack method, named HTTP/2 Continuation Flood, was discovered by Bartek Nowotarski, who publicly disclosed his findings, which are co-ordinated with CERT Coordination Centre (CERT/CC) at Carnegie Mellon University, which  has published an advisory note.

The codename HTTP/2 CONTINUATION Flood was devised by  Bartek Nowotarski, who reported the issue to the CERT Coordination Center (CERT/CC) in January. "Many HTTP/2 implementations do not properly limit or sanitise the amount of CONTINUATION frames sent within a single stream," according to  CERT/CC. "An attacker that can send packets to a target server can send a stream of CONTINUATION frames that will not be appended to the header list in memory but will still be processed and decoded by the server or will be appended to the header list, causing an out of memory (OOM) crash."

Like in HTTP/1, HTTP/2 uses header fields within requests and responses. These header fields can comprise header lists, which in turn, are serialised and broken into header blocks. The header blocks are then divided into block fragments and transmitted within HEADERS or what's called CONTINUATION frames.The CONTINUATION frame (type=0x9) is used to continue a sequence of header block fragments. The last frame containing headers will have the END_HEADERS flag set, which signals the remote endpoint that it's the end of the header block. 

According to Nowotarski, CONTINUATION Flood is a class of vulnerabilities within several HTTP/2 protocol implementations that pose a more severe threat compared to the Rapid Reset attack that was highlighted in October 2023.

"A single machine (and in certain instances, a mere single TCP connection or a handful of frames) has the potential to disrupt server availability, with consequences ranging from server crashes to substantial performance degradation," he said. "Remarkably, requests that constitute an attack are not visible in HTTP access logs."

The vulnerability, at its core, has to do with incorrect handling of HEADERS and multiple CONTINUATION frames that pave the way for a DoS condition.

Essentially, an attacker can initiate a new HTTP/2 stream against a target server using a vulnerable implementation and send HEADERS and CONTINUATION frames with no set END_HEADERS flag, creating a never-ending stream of headers that the HTTP/2 server would need to parse and store in memory.

While the exact outcome varies depending on the implementation, impacts range from instant crash after sending a couple of HTTP/2 frames and out of memory crash to CPU exhaustion, thereby affecting server availability.

Below are several CVE listings to reflect the vulnerability within different implementations.

  • CVE-2024-27983:  An attacker can make the Node.js HTTP/2 server unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a TCP connection is abruptly closed by the client triggering the Http2Session destructor while header frames are still being processed (and stored in memory) causing a race condition.
  • CVE-2024-27919:  Envoy's oghttp codec does not reset a request when header map limits have been exceeded. This allows an attacker to send an sequence of CONTINUATION frames without the END_HEADERS bit set causing unlimited memory consumption.
  • CVE-2024-2758:   empesta FW rate limits are not enabled by default. They are either set too large to capture empty CONTINUATION frames attacks or too small to handle normal HTTP requests appropriately.
  • CVE-2024-2653:  amphp/http will collect HTTP/2 CONTINUATION frames in an unbounded buffer and will not check the header size limit until it has received the END_HEADERS flag, resulting in an OOM crash. amphp/http-client and amphp/http-server are indirectly affected if they're used with an unpatched version of amphp/http. Early versions of amphp/http-client with HTTP/2 support (v4.0.0-rc10 to 4.0.0) are also directly affected.
  • CVE-2023-45288:  The Go packages net/http and net/http2 packages do not limit the number of CONTINUATION frames read for an HTTP/2 request, which permits an attacker to provide an arbitrarily large set of headers for a single request, that will be read, decoded, and subsequently discarded, which may result in excessive CPU consumption.
  • CVE-2024-28182:  An implementation using the nghttp2 library will continue to receive CONTINUATION frames, and will not callback to the application to allow visibility into this information before it resets the stream, resulting in a DoS.
  • CVE-2024-27316:  HTTP/2 CONTINUATION frames without the END_HEADERS flag set can be sent in a continuous stream by an attacker to an Apache Httpd implementation, which will not properly terminate the request early.
  • CVE-2024-31309:  HTTP/2 CONTINUATION DoS attack can cause Apache Traffic Server to consume more resources on the server. Version from 8.0.0 through 8.1.9, from 9.0.0 through 9.2.3 are affected.
  • CVE-2024-30255:  HTTP/2 protocol stack in Envoy versions 1.29.2 or earlier are vulnerable to CPU exhaustion due to flood of CONTINUATION frames.

The Envoys HTTP/2 codec allows the client to send an unlimited number of CONTINUATION frames even after exceeding Envoys header map limits. This allows an attacker to send a sequence of CONTINUATION frames without the END_HEADERS bit set causing CPU utilisation, consuming approximately 1 core per 300Mbit/s of traffic.

Users are recommended to upgrade affected software to the latest version to mitigate potential threats. In the absence of a fix, it's advised to consider temporarily disabling HTTP/2 on the server.

Nowotarski     |   Carnegie Mellon University     |      CISA      |        Data Tracker   |    Security Week     |    

The Hacker News     |       Security Affairs     |     Bleeping Computer

Image:   cookieone

You Might Also Read: 

EnemyBot Malware Targets Web Servers:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

« Google Deploys AI To Find Search Answers
Large Language Models Are An Inflection Point For Cyber Security »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Huawei

Huawei

Huawei is a leading global ICT solutions provider. with end-to-end capabilities across the carrier networks, enterprise, consumer, and cloud computing fields.

WIRED

WIRED

WIRED is the magazine about what's next – the people, the trends and the big ideas that will change our lives. Topics covered include cyber security.

Arxan Technologies

Arxan Technologies

Arxan is a leader of application attack-prevention and self-protection products for Internet of Things (IoT), Mobile, Desktop, and other applications.

Cyber 360

Cyber 360

Cyber 360 is a Cybersecurity contract and fulltime placement firm dedicated to identifying and hiring Cybersecurity professionals.

AFCERT

AFCERT

AFCERT is the national Computer Emergency Response Team for Afghanistan.

BPC Banking Technologies

BPC Banking Technologies

BPC’s advanced fraud prevention solution helps card issuers and acquirers combat the growing threat by monitoring 100% of transactions, online, in real-time across all channels.

Forensic Pathways

Forensic Pathways

Forensic Pathways focus on the provision of digital forensic technologies, offering clients unique technologies in the management of mobile phone data, image analysis and ballistics analysis.

ecsec

ecsec

ecsec is a specialized vendor of security solutions including information security management, smart card technology, identity management, cloud computing and electronic signature technology.

Appgate

Appgate

Appgate is the secure access company. We empower how people work and connect by providing solutions purpose-built on Zero Trust security principles.

Militus

Militus

Militus provides the only information security service available that learns and analyzes your network over time using a custom-built network-based toolset.

Cythereal

Cythereal

Cythereal is the leader in predicting and preventing advanced malware attacks. Security Automation for the Overwhelmed Administrator.

Allot

Allot

Allot are a global provider of leading innovative network intelligence and security solutions for Service Providers and Enterprises worldwide.

Corinium Global Intelligence

Corinium Global Intelligence

At Corinium, we have been bringing together the brightest minds in data, AI and info sec since 2013, to innovate at the intersection of technological advancements and critical thinking.

OutKept

OutKept

OutKept offers the highest quality phishing simulation campaigns, supported by a community of ethical phishers, to build awareness, and maintain alertness.

Twilio

Twilio

Twilio are the customer layer for the internet, powering the most engaging interactions companies build for their customers. We provide simple tools that solve hard problems.

Intraframe US

Intraframe US

Intraframe US is a cybersecurity company in Memphis, specializing in Digital Forensics Incident Response and Managed IT services. We provide SMBs with a 24/7 SOC for proactive Cyber Threat Management.